(Imagen 4)
Why is the “PerfektBlue” (with a K) automotive vulnerability in the news?
And why are people more likely to read the cyber press alarms that emphasize the vulnerability, then the reports that emphasize the fix?
Unlike the cyber press, I will report the fix first.
OpenSynergy
For example, OpenSynergy, author of the Blue SDK for remote Bluetooth access to automobiles, issued this statement on July 9, 2025:
“OpenSynergy was notified In May 2024 by PCA Cyber Security (formerly PCAutomotive) about a couple of potential vulnerabilities (named PerfektBlue) in Blue SDK.
“We are pleased to confirm that corrections were applied and fixed the potential vulnerabilities, and relative patches were supplied to our customers in September 2024.”
PCA Cyber Security
Why was OpenSynergy addressing a 2024 vulnerability in 2025? Because the cybersecurity press is just now reporting on the vulnerability…because PCA Cyber Security intentionally refrained from publicizing it.
“[W]e reported all the findings to OpenSynergy in May, 2024. They acknowledged, and rolled out patches to the customers of BlueSDK in September, 2024. It was decided to wait until all of OpenSynergy customers applied the patches before this publication.
“To protect against PerfektBlue, you can update your system or disable the Bluetooth functionality entirely.”
CyberScoop
What can happen if you don’t patch your car? Here is what CyberScoop said:
“Successful exploitation of the infotainment system could theoretically provide attackers with access to GPS tracking, audio recording capabilities, and contact information. Researchers also note that weak network segmentation could potentially allow attackers to access other vehicle systems, though this would depend on additional vulnerabilities and the specific architecture of each vehicle.”
CyberScoop also clarified why the vulnerability wasn’t revealed back in September 2024 when the patches were released:
“[T]he complex nature of automotive supply chains has created challenges in patch distribution. Some original equipment manufacturers had not received the necessary updates as late as June 2025, nearly a year after the initial disclosure. This delay prompted the researchers to proceed with public disclosure while withholding the identity of the fourth manufacturer.”
The three identified manufacturers and systems are Mercedes-Benz’s NTG6 system, Volkswagen’s MEB ICAS3 unit, and Skoda’s MIB3 system.
Mercedes-Benz, Skoda, and Volkswagen
Oddly enough, I can’t find any statements from the three known manufacturers. You would think they would jump in front and say “here’s how to apply the patches”…or better still, “we have already applied the patches.”
But so far I haven’t found any manufacturer statements.
A missed opportunity.
Why?
People are more likely to read the cyber press alarms that emphasize the vulnerability, then the reports that emphasize the fix.
After all, gotta get those clicks.
Bredemarket 